Skip to main content

Is matomo.cloud a Scam? Security Check Results - Matomo Reviews

matomo.cloud favicon

Is matomo.cloud Safe? Security Analysis for Matomo

https://matomo.cloud

Check if matomo.cloud is a scam or legitimate. Free security scan and reviews.

TechnologyFrancemedium
WordPressElementorjQueryFont AwesomeUsercentrics CMP
Analyzed 9/5/2025Completed 5:07:51 AM
74
Security Score
MEDIUM RISK

AI Summary

Matomo is a privacy-focused analytics platform offering cloud-hosted and on-premise solutions that emphasize 100% data ownership and GDPR compliance. The company positions itself as a leading alternative to Google Analytics, targeting businesses and organizations that prioritize privacy and data control. The website is professionally designed, content-rich, and optimized for SEO and mobile devices, reflecting a mature digital presence. Technically, the site runs on WordPress with Elementor, uses modern libraries like jQuery and Font Awesome, and integrates Usercentrics for cookie consent management. Security-wise, the site enforces HTTPS, applies privacy-conscious JavaScript overrides, and uses a consent management platform, though it lacks explicit security headers and a published security policy. The domain registration is consistent and legitimate, registered with OVH sas in France since 2017, aligning with the company's European privacy focus. Overall, Matomo demonstrates a strong security posture and privacy compliance, with room for improvement in formal security disclosures and DNS security enhancements.

Detected Technologies

WordPressElementorjQueryFont AwesomeUsercentrics CMP

🧠AI Business Intelligence

Technology stack, business insights, and market analysis powered by AI.

Business Intelligence

Market & Strategic Analysis

Matomo operates in the technology sector, specifically in web analytics with a strong emphasis on privacy and data ownership. Its business model combines SaaS cloud services with open-source software offerings, appealing to privacy-conscious enterprises and organizations. The company has established a solid market position as a GDPR-compliant alternative to mainstream analytics providers. Its ecosystem includes extensive resources, pricing plans, and support services, indicating a medium-sized enterprise with a global reach. The website's comprehensive content and consistent branding reinforce trust and professionalism. Partnerships or subsidiaries are not explicitly identified, but the company maintains a strong social media presence and community engagement.

Security Posture Analysis

Comprehensive Security Assessment

The website exhibits a good security posture with HTTPS enforced and integration of a consent management platform (Usercentrics) for GDPR compliance. The JavaScript includes privacy-aware overrides to prevent certain local storage keys from being set, indicating attention to data protection. However, the absence of DNSSEC and security headers such as Content-Security-Policy or X-Frame-Options suggests areas for enhancement. No explicit security policy or incident response contacts are published, which could improve transparency and readiness. No vulnerabilities or exposed sensitive data were detected in the analyzed content. Overall, the security maturity is solid but could benefit from formalized policies and additional technical controls.

Strategic Recommendations

Priority Actions for Security Improvement

1

Enable DNSSEC on the domain to strengthen DNS security and prevent spoofing.

Observations

AI-powered comprehensive website and business analysis.

AI-Enhanced Website Analysis

Business Insights

Company:

Matomo

Description:

Matomo provides a cloud-hosted analytics platform focused on data ownership, privacy, and flexibility.

Key Services:
Cloud-hosted analyticsOn-premise analyticsData ownership and privacy protection
Content Quality:

excellent

Branding:

consistent

Technical Stack

Technologies:
WordPressElementorjQueryFont AwesomeUsercentrics CMP
Frameworks:
Yoast SEO
Platforms:
Cloud hosting via AWS DNS servers
Performance:

fast

Mobile:

excellent

Accessibility:

good

SEO:

excellent

Security Assessment

Security Score:
85/100
Best Practices:
  • HTTPS enforced
  • Storage API override to prevent setting 'elementor' key for privacy
  • Use of Usercentrics consent management platform

Analytics & Tracking

Services:
Matomo Analytics (self)Usercentrics CMP
Tracking Level:moderate
Privacy Compliance:excellent

Advertising & Marketing

Tracking Pixels:
Usercentrics
Marketing Tools:
Yoast SEOUsercentrics CMP
Transparency Level:good

Website Quality Assessment

Design Quality:excellent
User Experience:excellent
Content Relevance:excellent
Navigation Clarity:excellent
Professionalism:excellent
Trustworthiness:high

Key Observations

1

Website is fully accessible with no blocking or WAF challenges.

🛡️Security Headers

HTTP security headers analysis and recommendations.

Security Headers

HTTP security headers analysis

70/100
Score

Missing X-Frame-Options header

HIGH

Prevents clickjacking attacks

Weak X-XSS-Protection configuration

LOW

Current value: "0"

Missing Referrer-Policy header

LOW

Controls referrer information sent with requests

Sensitive data may be cached

LOW

Cache-Control header should include "no-store" for sensitive pages

👤GDPR Compliance

Privacy and data protection assessment under GDPR regulations.

GDPR Compliance

Privacy and data protection assessment

95/100
Score

No Data Protection Officer mentioned

LOW

Large organizations may need to designate a DPO under GDPR

GDPR Compliance Analysis

Privacy Policy85% confidence
Cookie Policy85% confidence
Contact Information Found90% confidence
phone

🛡️NIS2 Compliance

Network & Information Security Directive compliance assessment.

NIS2 Compliance

Network & Information Security Directive

55/100
Score

No vulnerability disclosure policy

MEDIUM

NIS2 encourages coordinated vulnerability disclosure

No incident response procedures found

HIGH

NIS2 requires documented incident response and business continuity plans

No security contact information

HIGH

NIS2 requires clear incident reporting channels

No vulnerability reporting mechanism

MEDIUM

Clear vulnerability reporting supports coordinated disclosure

No NIS2 reference found

LOW

Consider explicitly mentioning NIS2 compliance efforts

📧Email Security

SPF, DKIM, and DMARC validation and email security assessment.

Email Security

SPF, DKIM, and DMARC validation

80/100
Score

Complex SPF record

LOW

Too many include statements can cause lookup limits

No BIMI Record

LOW

BIMI displays brand logos in email clients

No MTA-STS Policy

MEDIUM

MTA-STS enforces TLS for email delivery

No TLS-RPT Record

LOW

TLS-RPT provides reporting for email TLS issues

SPF
Sender Policy Framework
DKIM
DomainKeys Identified Mail
DMARC
Domain-based Message Authentication
MX Records
Mail Exchange Records
BIMI
Brand Indicators
MTA-STS
Mail Transfer Agent Security
TLS-RPT
TLS Reporting
DNSSEC
DNS Security
SPF Details
Record:
v=spf1 include:_spf.alwaysdata.com include:helpscoutemail.com include:spf.em.secureserver.net include:spf.discoursehosting.com include:22519270.spf08.hubspotemail.net ~all
DNS Lookups:5/10
Policy:~all
DKIM Selectors Found
Selector:s1(1440-bit rsa)
DMARC Details
Policy:quarantine
Subdomain Policy:reject
Aggregate Reports:dmarc-report@matomo.org
Forensic Reports:dmarc-failure@matomo.org

🏆SSL/TLS Security

Certificate validity and encryption analysis.

SSL/TLS Security

Certificate validity and encryption analysis

95/100
Score

SSL Certificate Expires Within 90 Days

MEDIUM

SSL certificate expires in 77 days

Partial SSL/TLS Assessment

LOW

Completed 2 of 4 security checks due to time constraints

Certificate Details

Subject:matomo.org
Issuer:R12
Valid Until:11/21/2025 (77 days)
SANs:matomo.org

OCSP Status

OCSP Stapling Disabled

📊DNS Health

DNS configuration and security assessment.

DNS Health

DNS configuration and security assessment

90/100
Score

DNSSEC Not Enabled

MEDIUM

DNSSEC is not configured for this domain

Domain Registration Details

Domain Age
7 years(mature)
Expiry Risk
none(2558 days)
Protection Level
moderateDNSSEC OFF

DNS Records

A Records:185.31.40.177
AAAA Records:2a00:b6e0:1:200:177::1
Name Servers:
ns-1081.awsdns-07.org
ns-1635.awsdns-12.co.uk
ns-516.awsdns-00.net
ns-85.awsdns-10.com
MX Records:
5: matomo.alwaysdata.net
10: mx1.alwaysdata.com
15: mx2.alwaysdata.com
SOA:Serial: 1, TTL: 86400s

DNSSEC Status

DNSSEC Not Enabled

DNS Performance

Resolution Time:44ms

SPF Analysis

SPF Record:
v=spf1 include:_spf.alwaysdata.com include:helpscoutemail.com include:spf.em.secureserver.net include:spf.discoursehosting.com include:22519270.spf08.hubspotemail.net ~all

Network Security

Port scanning and network exposure analysis.

Network Security

Port scanning and network exposure analysis

20/100
Score

High-Risk Service Exposed: FTP

HIGH

Port 21 (FTP) is publicly accessible - FTP - Often unencrypted file transfer

Service Exposed: SSH

MEDIUM

Port 22 (SSH) is publicly accessible - SSH - Secure but can be brute-forced

🔧Technical Analysis

Detailed technical findings and analysis from AI assessment.

Technical Analysis

Comprehensive security assessment findings

Additional Findings

The website is built on WordPress CMS with the Elementor page builder, leveraging jQuery and Font Awesome for UI elements. It uses Yoast SEO for search engine optimization and integrates Usercentrics for cookie consent management. Hosting appears to be supported by OVH sas for domain registration and AWS DNS servers, indicating a robust infrastructure. The site is well-optimized for performance and mobile responsiveness, with preloading and preconnecting of critical resources. The technical implementation is modern and follows best practices, though there is an opportunity to improve security headers and DNS security. The site’s structured data and metadata are well-formed, supporting SEO and social media sharing.
Analyze Another Website